1 .TH SLAPD.CONF 5 "20 January 1999" "OpenLDAP LDVERSION"
3 slapd.conf \- configuration file for slapd, the stand-alone LDAP daemon
9 contains configuration information for the
11 daemon. This configuration file is also used by the
13 replication daemon and by the LDBM indexing utilities
16 .BR ldif2id2entry (8),
18 .BR ldif2id2children (8).
22 file consists of a series of global configuration options that apply to
24 as a whole (including all backends), followed by zero or more database
25 backend definitions that contain information specific to a backend
33 # comment - these options apply to every database
34 <global configuration options>
35 # first database definition & configuration options
36 database <backend 1 type>
37 <configuration options specific to backend 1>
38 # subsequent database definitions & configuration options
42 As many backend-specific sections as desired may be included. Global
43 options can be overridden in a backend (for options that appear more
44 than once, the last appearance in the
46 file is used). Blank lines and comment lines beginning with a `#'
47 character are ignored. If a line begins with white space, it is
48 considered a continuation of the previous line.
50 Arguments on configuration lines are separated by white space. If an
51 argument contains white space, the argument should be enclosed in
52 double quotes. If an argument contains a double quote (`"') or a
53 backslash character (`\\'), the character should be preceded by a
56 The specific configuration options available are discussed below in the
57 Global Configuration Options, General Backend Options, LDBM
58 Backend-Specific Options, Shell Backend-Specific Options, and Password
59 Backend-Specific Options sections. Refer to "The SLAPD and SLURPD
60 Administrator's Guide" for more details on the slapd configuration
62 .SH GLOBAL CONFIGURATION OPTIONS
63 Options described in this section apply to all backends, unless specifically
64 overridden in a backend definition. Arguments that should be replaced by
65 actual text are shown in brackets <>.
68 access to <what> [ by <who> <accesslevel> ]+
69 Grant access (specified by <accesslevel>) to a set of entries and/or
70 attributes (specified by <what>) by one or more requestors (specified
71 by <who>). Refer to "The SLAPD and SLURPD Administrator's Guide" for
72 information on using the
74 access-control mechanisms.
77 attribute <name> [<name2>] { bin | ces | cis | tel | dn }
78 Associate a syntax with an attribute name. By default, an
79 attribute is assumed to have syntax
81 An optional alternate name can be
82 given for an attribute. The possible syntaxes and their meanings are:
97 telephone number string
106 defaultaccess [self]{ none | compare | search | read | write }
107 Specify the default access to grant requestors not matched by
108 any other access line. The default behavior is to grant read access.
110 .B idletimeout <integer>
111 Specify the number of seconds to wait before forcibly closing
112 an idle client connections. A idletimeout of 0 disables this
113 feature. The default is 0.
115 .B include <filename>
116 Read additional configuration information from the given file before
117 continuing with the next line of the current file.
119 .B pidfile <filename>
120 The ( absolute ) name of a file that will hold the
122 server's process ID ( see
124 ) if started without the debugging command line option.
126 .B argsfile <filename>
127 The ( absolute ) name of a file that will hold the
129 server's command line options
130 if started without the debugging command line option.
133 locale { <locale-name> | on | off }
134 Obey <locale-name>'s character classification and case conversion; i.e. the
136 LC_CTYPE category. See
138 for details about locales. "on" takes the locale from the environment,
139 typically $LANG or $LC_CTYPE, and will only work properly if slapd will
140 run with the same environment variables as when the database was
141 generated. "off" (the default setting) resets to the initial "C" locale.
143 .B loglevel <integer>
144 Specify the level at which debugging statements and operation
145 statistics should be syslogged (currently logged to the
147 LOG_LOCAL4 facility). Log levels are additive, and available levels
157 debug packet handling
160 heavy trace debugging
163 connection management
166 print out packets sent and received
169 search filter processing
172 configuration file processing
175 access control list processing
178 stats log connections/operations/results
181 stats log entries sent
184 print communication with shell backends
193 objectclass <name> requires <attrs> allows <attrs>
194 Define the schema rules for the object class named <name>. These are
195 used in conjunction with the schemacheck option.
198 Specify the referral to pass back when
200 cannot find a local database to handle a request.
202 .B schemacheck { on | off }
203 Turn schema checking on or off. The default is on.
205 .B sizelimit <integer>
206 Specify the maximum number of entries to return from a search operation.
207 The default size limit is 500.
210 Specify the srvtab file in which the kerberos keys necessary for
211 authenticating clients using kerberos can be found. This option is only
212 meaningful if you are using Kerberos authentication.
214 .B timelimit <integer>
215 Specify the maximum number of seconds (in real time)
217 will spend answering a search request. The default time limit is 3600.
218 .SH GENERAL BACKEND OPTIONS
219 Options in this section only apply to the configuration file section
220 for the backend in which they are defined. They are supported by every
223 .B database <databasetype>
224 Mark the beginning of a new database instance definition. <databasetype>
230 depending on which backend will serve the database.
235 will automatically maintain the
236 modifiersName, modifyTimestamp, creatorsName, and
237 createTimestamp attributes for entries. By default, lastmod is off.
240 This option puts the database into "read-only" mode. Any attempts to
241 modify the database will return an "unwilling to perform" error. By
242 default, readonly is off.
245 replica host=<hostname>[:port] "binddn=<DN>" bindmethod=simple |
247 kerberos [credentials=<password>] [srvtab=<filename>]
249 Specify a replication site for this database. Refer to "The SLAPD and
250 SLURPD Administrator's Guide" for detailed information on setting up
255 .B replogfile <filename>
256 Specify the name of the replication log file to log changes to.
257 The replication log is typically written by
263 for more information.
266 Specify the DN of an entry that is not subject to access control
267 or administrative limit restrictions for operations on this database.
270 Specify a password (or hash of the password) for the rootdn.
271 This option accepts all password formats known to the server
272 including \fB{SHA}\fP, \fB{MD5}\fP, \fB{CRYPT}\fP, and cleartext.
273 Cleartext passwords are not recommended.
275 .B suffix <dn suffix>
276 Specify the DN suffix of queries that will be passed to this
277 backend database. Multiple suffix lines can be given and at least one is
278 required for each database definition.
281 This option is only applicable in a slave
283 It specifies the DN allowed to make changes to the replica (typically,
286 binds as when making changes to the replica).
287 .SH LDBM BACKEND-SPECIFIC OPTIONS
288 Options in this category only apply to the LDBM backend database. That is,
289 they must follow a "database ldbm" line and come before any subsequent
290 "database" lines. The LDBM backend is a high-performance database that
291 makes extensive use of indexing and caching to speed data access.
293 .B cachesize <integer>
294 Specify the size in entries of the in-memory cache maintained
295 by the LDBM backend database instance. The default is 1000 entries.
297 .B dbcachesize <integer>
298 Specify the size in bytes of the in-memory cache associated
299 with each open index file. If not supported by the underlying database
300 method, this option is ignored without comment. The default is 100000 bytes.
303 Specify that database writes should not be immediately synchronized
304 with in memory changes. Enabling this option may improve performance
305 at the expense of data security.
307 .B directory <directory>
308 Specify the directory where the LDBM files containing the database and
309 associated indexes live. The default is
313 index { <attrlist> | default } [ pres,eq,approx,sub,none ]
314 Specify the indexes to maintain for the given attribute. If only
315 an <attr> is given, all possible indexes are maintained.
318 Specify the file protection mode that newly created database
319 index files should have. The default is 0600.
320 .SH SHELL BACKEND-SPECIFIC OPTIONS
321 Options in this category only apply to the SHELL backend database. That is,
322 they must follow a "database shell" line and come before any subsequent
323 "database" lines. The Shell backend executes external programs to
324 implement operations, and is designed to make it easy to tie an existing
335 .B compare <pathname>
345 .B abandon <pathname>
346 These options specify the pathname of the command to execute in response
347 to the given LDAP operation. The command given should understand and
348 follow the input/output conventions described in Appendix B of "The SLAPD
349 and SLURPD Administrator's Guide."
351 Note that you need only supply configuration lines for those commands you
352 want the backend to handle. Operations for which a command is not
353 supplied will be refused with an "unwilling to perform" error.
354 .SH PASSWORD BACKEND-SPECIFIC OPTIONS
355 Options in this category only apply to the PASSWD backend database.
356 That is, they must follow a "database passwd" line and come before any
357 subsequent "database" lines. The PASSWD database serves up the user
358 account information listed in the system
363 Specifies an alternate passwd file to use. The default is
366 "The SLAPD and SLURPD Administrator's Guide" contains an annotated
367 example of a configuration file.
372 .BR slapd.replog (5),
378 "The SLAPD and SLURPD Administrator's Guide"
381 is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
383 is derived from University of Michigan LDAP 3.3 Release.